Fortnite bug gave hackers access to millions of player accounts, researchers say

If you or your child plays Fortnite, you might want to take a closer look at your recent credit card statements.

Epic Games, the maker of the hit online battle royal title, acknowledged Wednesday that a flaw in the game’s log-in system could have allowed hackers to impersonate real players and purchase in-game currency using the credit cards on file.

Hackers could then have siphoned off those purchases from hijacked accounts into other accounts they controlled, according to security researchers.

It’s unclear how many players may have been directly affected by the bug; Epic declined to comment on the scope of the vulnerability and said the matter has been addressed. But about 80 million people play Fortnite every month, and as many as 200 million users have registered accounts, the company has previously said.

“We encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others,” Epic said in a statement.

Epic’s acknowledgment follows a report by Check Point Research, an information security group, which said it privately notified Epic of the flaw after tests revealed it could lead to widespread fraud.

The bug gave hackers the ability to steal pieces of code used to identify a player when he or she logs into the game using a third-party account such as Facebook or Xbox Live, the researchers said. Players could have been exposed to the flaw if they clicked a malicious phishing link designed to exploit the vulnerability. Along with its report, the group also published a YouTube video explaining the research.

After using these security tokens to access a player’s account in Fortnite, hackers could then take actions such as buying in-game currency, weapons and cosmetic accessories, according to the report. The report also said that hackers could have gained access to players' contact lists and eavesdropped on conversations in the game’s voice chat. Epic spokesman Nick Chester denied the claim. Epic said that while hackers pretending to be players could have joined a game party and listened in on those group conversations, they would not have been able to eavesdrop on other four-player groups they were not a part of.

“Bad actors/hackers were not able to eavesdrop on conversations as is suggested here,” he said in an email. “This is not in any way factual.”

Check Point estimates that the vulnerability was open at least since 2018.

The enormous popularity of Fortnite makes it a juicy target for hackers — and the possibility of a breach affecting the equivalent of two-thirds the U.S. population is a serious risk, experts say.

"The chain of the vulnerabilities within the log-in flow provide[d] the hacker the ability to take full control of the account,” said Oded Vanunu, Check Point’s head of products vulnerability research.

He added in a statement: “Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy.”

Comments

Brian FungBrian Fung covers business and technology for The Washington Post. Before joining The Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic. Follow